cloud career

AWS VPC Security Best Practices

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

In today`s article, we’ll discuss different measures for AWS VPC security best practices. Security is different layers of protection in order not to get hacked. 

I want to begin with routing, because if you can’t reach something and you don’t have access to it, it’s going to be near impossible to attack. So, if we begin with routing and limit who has access to the systems, it will become much harder for others to attack it.

  • Virtualized Local Area Networks (VLANs): -Virtualization of switches whereby one logically separates a switch into different parts. Each logically separated VLAN will be placed in a separate subnet. Routing information will be provided to the subnets that need cloud access.  This will limit cloud access to only those people and their systems to reach the subnets necessary to perform their roles.  See, if you can’t reach a subnet then you can’t hack it, so this is first-line security.  This type of network security can significantly increase an organization’s security posture and no cost.

 

  • FIREWALL: This is a device or software that builds a strongly secure perimeter around the edge of the network, it blocks all incoming traffic by default, and allows specific traffic that is permitted by using a firewall policy. And there are some phenomenal commercial firewalls that you can use with your VPC; Cisco, Palo Alto, Fortinet, etc. But these are very strong firewalls, they not only block traffic out, but they’re adaptive. This means they can look at the traffic that doesn’t make sense and generate rules on-demand to block things that they find to be dangerous. So, commercial firewalls, are a great option.

In firewalls, you can create a policy to allow in only what needs to come in; TCP port 179 for BGP routing, and whatever ports are necessary for your systems, whether they be HTTPS or SSH or whatever’s necessary for the organization. The firewall is stateful, which means once it allows inbound traffic, the corresponding outbound traffic is allowed.

AWS also has a proprietary firewall is called Web Application Firewall (WAF) which is a placed on the Content Delivery Network (CDN), Amazon API gateway, a rest API, or even an application load balancer. In AWS, WAF is configured alongside CloudWatch to monitor the traffic metrics. One can set up alerts and create a rule to notify systems administrators.

 

  • NETWORK ACCESS CONTROL LISTS: This is a virtual router function that blocks traffic in and out of the subnets. It is stateless, that is both the inbound and outbound traffic must be stated. More so, the virtual device is stateless because it does not watch the way the traffic is coming, it’s only creating some packet inspection rules that allow or deny. All network ACLs have a default policy, which is to deny all traffic. As a result, when building policies, one must specify the source and the destination address (allowed before the deny policy). There can be some wildcards in there as well, the protocol and the port number.

 

  • SECURITY GROUP: This is a virtual firewall that keeps traffic out of the Instance (Virtual machine), or service it is stateful: that is once it allows inbound traffic, the corresponding outbound traffic is allowed.

 

  • HOST-BASED FIREWALL: This is an additional layer of protection on the operating system that may not have been caught by network security. These firewalls can protect the system, at least for a period, or maybe completely thwart the attack.

 

  • ANTI-MALWARE PROTECTION: All servers should have anti-malware protection for protection of worms and viruses.

 

  • AWS SHIELD: This is Distributed Denial of Service (DDoS) protection, it minimizes application downtime and latency. And there are two versions. There’s the standard version, which is free to organizations that are using WAF, and there’s the Shield Advance, and this provides protection to a lot of things. EC2 instances, load balancers, CloudFront distributions, Route 53, and global accelerators.

 

  • INTRUSION PREVENTION /INTRUSION DETECTION SYSTEM IPS/IDS: is a device or software application that monitors a network or systems for malicious activity or policy violations. They can look at behaviors, and they adapt and stop the activity as needed. It will create rules on demand. It is very useful to have intrusion detection, intrusion prevention in your systems.

 

  • Identity and Access Management (IAM): It is essential to identify who is the user, what the user can do on the systems, and then tracking the user’s access. This is performed with Identity and access management.  Identity and access management can be summarized below:
    • Authentication – Identification of the user (Who are you?)
    • Authorization – What can you access
    • Accounting – What have you done

Identity and access management gives us the ability to provide the right level of access to our users.  What is the right level of access?  The minimal amount of access necessary for people to perform their jobs.

 

  • Encryption – Encryption is another component of security. Encryption is a means of securing data by encoding the data in a manner that it can only be read, or decrypted, by those with the correct key. Encryption processes translate data using an algorithm that makes the original information unreadable except for authorized users.  Encryption should be used for stored data (Encryption at rest) and during transition (Encryption in transit)

In conclusion security takes a layered approach.  Each layer works together to provide a cohesive security solution!

Cloud Architect Career Development Program

16-week (self-paced)

Hybrid Live Sessions and On-Demand

Slack Community

In-Depth labs

And More

Recent Articles

Subscribe To Our Newsletter

Get updates and learn from the best

About Our Founder

Michael Gibbs is the CEO of Go Cloud Careers, a global organization that provides training for elite cloud computing careers and places a strong emphasis on helping individuals achieve their dream technology career. He is an outspoken critic of single cloud reliance and was recently featured in Investors Business Daily, Information Week, Tech Target, Authority Magazine, authored articles in HomeBusinessMagazine, and has appeared on Inside Analysis and TechStrong TV. In 2013, after a successful career with Cisco Systems as a Global Systems Engineer, he founded Go Cloud Architects, an educational organization focused on helping individuals achieve their dream technology career.

Michael is a technology expert with 25 years of experience in networking, cloud computing, and IT security. After a successful career with Cisco Systems, where he served in senior leadership as the lead enterprise architect in the global healthcare consulting practice, Michael founded Go Cloud Architects. Michael is a highly requested speaker and industry thought leader who presents at key conferences throughout the world. A passionate educator with 20 years of experience in coaching and mentoring others; Michael is also a Cisco Certified Internetwork Expert, a Google Professional Cloud Architect and holds a Master’s of Science (MS) and Master’s of Business Administration (MBA) from Widener University.

About Our Company

Go Cloud Careers is an educational organization that builds high-performance cloud computing careers. Go Cloud is founded on one premise – we get you hired. While other organizations focus on certifications or just technical proficiency; Go Cloud students develop a practical and deep knowledge of the cloud computing roles and responsibilities to build an elite tech career.

In addition to technical competency, the core instructional emphasis includes teaching the skills necessary for elite technology roles. These include leadership skills, attitude, emotional intelligence, communication skills, presentation skills, sales skills, interview skills, and more. Go Cloud students finish with more than just certifications, and by combining these executive-level skills are more desirable to employers; and will ultimately be more effective in their careers long term.

How Can We Help You Reach Your Dream Career?

Career Development Programs

At Go Cloud Careers our goal is to improve the cloud computing community as a whole, by developing individuals to succeed in their roles. Our Career Development Programs are designed to help you get the best career at the fastest speed possible. These programs not only provide technical training, but also the much-overlooked soft skills and emotional intelligence that determine whether an individual can reach that dream career. In these group training programs, we provide a combination of live group training sessions, on-demand web-based content, and extensive labs. We also provide server access to our students, to build their own cloud architectures from the ground up. You can find more information on the programs by clicking the button below.

Cloud Architect Career Development Program

Cloud Engineer Career Development Program

Tech Career Accelerator Program

Our FREE Offerings Every Week

Free Webinars

Go Cloud Careers offers the “How to get your first cloud job webinar each week on Thursday. You can register for the next webinar here. We conduct a presentation in the beginning and afterward, participants can ask any questions they want. We will even help build a career plan LIVE on these free calls. We will talk about:

  • What employers desire
  • How to build a perfect resume
  • How to get your name out to the community
  • How to get hired
  • Things to do on your interview

Register for the How to Get Your First Cloud Job Webinar

With Our Compliments

Go Cloud Careers is truly excited to offer multiple FREE resources for AWS Certification training. These include:

We look forward to you joining our Go Cloud Careers community!

More To Explore

AWS

AWS Solutions Architect Interview Questions

AWS Solutions Architect Interview Questions (Start Your Cloud Architect Career) If you’re looking for AWS solutions architect interview questions or cloud architect interview questions, this

Do You Want To Get Cloud Hired or Cloud Promoted

Take A Look at Our Training Programs

%d bloggers like this: